With over 30 years of experience in both the physical and information security realms, Tim McCreight is a symbol of ingenuity within Canada’s security sector. Tim has successfully advised provincial and municipal governments on maintaining cybersecurity within complex environments and has led various corporations’ security management initiatives in sectors ranging from natural resources to information technology.

In addition to his nine-to-five job, Tim is a passionate member of ASIS International. His membership with ASIS has allowed Tim to give back to the global security industry and its members. He was previously a Regional Vice President for a number of Canadian ASIS chapters in Saskatchewan, Alberta and British Columbia, and is now a member of the ASIS Board of Directors at the global level. In his current role on the ASIS Board, Tim has been able to apply his true passion as an Enterprise Security Risk Management (ESRM) Board Sponsor. As a self-proclaimed ESRM evangelist, Tim was happy to share his perspective on ESRM with me on the ground floor of the Global Security Exchange (GSX) Conference.

What is ESRM?

Tim McCreight
Tim McCreight

Innovators will always search for the next solution to the challenges they’re faced with. However, in a world full of buzzwords and flavours of the week, it’s important to understand what ESRM truly is and how it supports the work of security professionals. From Tim’s perspective, ESRM is a philosophy and framework that will “change the way we operate as security professionals.”

John Petruzzi, also a member of the ASIS Board of Directors, has defined ESRM as “a security program management approach that links security activities to an enterprise’s mission and business goals through risk management methods.” In essence, ESRM embeds security within every aspect of an organization’s strategic objectives. By implementing ESRM within the corporate structure of an organization, every strategic initiative, corporate process, procedure and project will assess risks to physical and informational assets.

What is the security professional’s role in ESRM?

There’s no question that it is every security professional’s goal to secure a seat at an organization’s strategic table and ensure security interests are engrained in day-to-day business. It is Tim’s view that by adopting and implementing ESRM, it can become the tool to get security professionals a seat at the strategic table. In order for an organization to buy into the ESRM model, a security professional must work with operational members of organizations to identify and resolve security risks together. Tim suggests that it is essential that the “business decides how to resolve the risk based on their perspectives.” Because ESRM is inherently adaptive as a management philosophy, security professionals must conduct regular audits and work with operational staff to ensure risk mitigation. As a result, the security professional becomes a knowledge expert and guide for operational staff when organizations implement and execute the ESRM model.

The future of ESRM

After three years of ASIS International canvassing its members for feedback on the adoption of ESRM, 2019 marks a planned transition for ESRM from “ceremonial…to a functional model that is engrained in the culture of ASIS.” The GSX has been ground zero for ESRM’s adoption as an industry standard. This year’s conference featured over 17 sessions focused on educating members and obtaining feedback regarding the future of ESRM within ASIS and the broader security industry. Tim and other ASIS members will analyze and assess the findings from this year’s ESRM sessions, and use that information to implement the philosophy into ASIS’ operational programs. In addition, ASIS members who expressed an interest in ESRM will be provided with communication materials and tasked with bringing the concept back to their individual chapters for broadscale dissemination and to execute deliverables. Like ESRM itself, the adoption of the philosophy into ASIS’ culture will be based upon continuous improvement principles. As a result, the upcoming 2019 and 2020 GSX Conferences will be critical for the ongoing implementation of ESRM into ASIS International culture.

A significant takeaway from my discussion with Tim was that he felt the adoption of ESRM as an ASIS and industry standard will lead to security no longer being viewed as a trade, but instead viewed as a profession supported by experts. Through the professionalization of the security industry, the role of security and security professionals will transform from the operational to the strategic.